| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374 |
- package trust
- import (
- "fmt"
- "time"
- log "github.com/Sirupsen/logrus"
- "github.com/docker/docker/engine"
- "github.com/docker/libtrust"
- )
- func (t *TrustStore) Install(eng *engine.Engine) error {
- for name, handler := range map[string]engine.Handler{
- "trust_key_check": t.CmdCheckKey,
- "trust_update_base": t.CmdUpdateBase,
- } {
- if err := eng.Register(name, handler); err != nil {
- return fmt.Errorf("Could not register %q: %v", name, err)
- }
- }
- return nil
- }
- func (t *TrustStore) CmdCheckKey(job *engine.Job) engine.Status {
- if n := len(job.Args); n != 1 {
- return job.Errorf("Usage: %s NAMESPACE", job.Name)
- }
- var (
- namespace = job.Args[0]
- keyBytes = job.Getenv("PublicKey")
- )
- if keyBytes == "" {
- return job.Errorf("Missing PublicKey")
- }
- pk, err := libtrust.UnmarshalPublicKeyJWK([]byte(keyBytes))
- if err != nil {
- return job.Errorf("Error unmarshalling public key: %s", err)
- }
- permission := uint16(job.GetenvInt("Permission"))
- if permission == 0 {
- permission = 0x03
- }
- t.RLock()
- defer t.RUnlock()
- if t.graph == nil {
- job.Stdout.Write([]byte("no graph"))
- return engine.StatusOK
- }
- // Check if any expired grants
- verified, err := t.graph.Verify(pk, namespace, permission)
- if err != nil {
- return job.Errorf("Error verifying key to namespace: %s", namespace)
- }
- if !verified {
- log.Debugf("Verification failed for %s using key %s", namespace, pk.KeyID())
- job.Stdout.Write([]byte("not verified"))
- } else if t.expiration.Before(time.Now()) {
- job.Stdout.Write([]byte("expired"))
- } else {
- job.Stdout.Write([]byte("verified"))
- }
- return engine.StatusOK
- }
- func (t *TrustStore) CmdUpdateBase(job *engine.Job) engine.Status {
- t.fetch()
- return engine.StatusOK
- }
|
